Author: Michele Bousquet

When I take on a job, my first ask is for the Request for Production (RFP) or another official, judge-approved document, clearly calling for specific data from specific devices.

In an ideal world I get an RFP with all the particulars spelled out, with each device clearly listed, with date ranges and a keyword list for search, and clear instructions on exactly how I am to obtain these devices (for example, they are already in the attorney’s possession and they will drop them off at my office).

In reality, it usually doesn’t work that way. This is not to throw shade on lawyers or judges — as a digital forensics analyst, I don’t expect that you would know as much as I do about digital devices — but it means that I often have to work with the attorneys (both sides) to nail down exactly what I am to look for and report on.

Show me the complaint

I always ask to see the complaint as an accompaniment to the RFP. This helps me determine that the RFP is on the right track to produce a full and complete report that speaks to the case.

If something doesn’t seem right with the RFP, I will speak up and discuss it with the attorney. Sometimes it’s just a point that I need clarified, and sometimes it means the RFP needs an overhaul.

Data isn’t where you think it is

In another blog post, Where to find data for your RFP, I detail the different places I might need to look to fulfill the RFP. For example, it’s a common misconception that emails are stored on one’s phone, but the best source for a complete picture of email is the email provider. The same is true for social media posts. They might seem to be “on the phone” because you can see them, but in reality, they are stored on the platform’s servers and sent to your phone when you open the app. These posts are never stored on the phone itself.

If the RFP tells me to look on the phone for something that isn’t on the phone, I’ll work with the attorney to get that point clarified in the RFP, and to set up any meetings with the client or data custodian (owner of the accounts) to obtain the additional information.

Keywords must be specified

I have received more than one RFP with vague search instructions such as, “Produce all emails pertaining to Jane Smith’s employment at XYZ company.” What does this mean, exactly? If I’m searching an archive of work emails, wouldn’t 99% of the emails be work-related, and thus “pertaining to employment”?

Ideally, I get a list of keywords to search that speak to the complaint. For example, if it’s a wrongful termination case, a good list of keywords might be:

• employment
• termination
• fired
• disciplinary action
• write-up
• personnel file

This doesn’t mean that these are the entirety of what I will search for — I often go above and beyond to see what I can find. However, if both sides can agree on this list of keywords, it gives me a baseline and a direction.

If keywords are not specified, I will often work with the attorney to come up with a proposed list.

Contacts’ information must be supplied

I have received more than one RFP that called for “all emails between Jane Smith and John Jones” with no email address specified for John Jones. Or it asks for all text messages with John Jones, and no phone number specified.

I can usually find an email address or phone number in the Contacts section, but I have no way of knowing whether there’s more than one email address or number, or whether a different phone number was being used at the time of the alleged crime (which might be several years earlier). Plus, my time spent searching for this information is billable time, which can add up quickly.

If counsel can’t or won’t provide email addresses and phone numbers, all I can do at that point is include in my report the email addresses and phone numbers I did manage to find.

In summary

The more complete and pertinent your RFP, the more I can get on with what I’ve been hired to do — search for data and write a report — rather than spending time in a back-and-forth that ultimately costs your client more money than it needs to.

It is fairly common for me to receive a Request for Production (RFP) with a data acquisition request to obtain “emails from the phone” or “Facebook posts from the phone”. These types of requests require me to educate the attorney (and often, by proxy, the judge) about where different types of data can be found, and that a phone is not the most comprehensive source of emails and social media posts. I don’t mind providing this information — it’s my job! — but to save time, I thought I should write about this as a guide that could come in handy when writing up an RFP.

Mobile Devices

A smartphone might seem to have tons of information on it, but in reality, it holds very limited information:

• Text messages
• Photos taken with the phone, along with date and time stamp
• Phone call logs
• Messages sent/received with chat apps like WhatsApp and Signal
• Email headers (not contents of emails)
• Old/deleted messages, call logs, and photos (to some degree; depends on certain factors)

Information that is usually not on a mobile device, or available only in a very limited capacity, and better sourced elsewhere:

• Email contents
• Social media posts
• Watch activity on YouTube, Netflix, etc.
• How long a user spent on a specific app
• Origin of photos posted to social media
• Logins/passwords for social media apps, banking apps, etc.

To find this other information, it is necessary to go to where this information is stored: on the servers of the app provider.

Emails

To get a comprehensive list of emails, it is necessary to get it from the email server itself.

The most direct approach to get the emails is for the custodian of the email to request to download an archive of all their own emails. For example, if the email account is with Gmail, the custodian can request to download data for their own Gmail account through the Google Takeout service. With the same form, the user can also request data from Google-owned apps like YouTube and Fitbit.

The data is usually not ready right away — Google will email the custodian when the download is ready. However, the custodian must then log into Google with their own account to get the download.

To preserve forensic soundness, it might seem that the analyst should log into the custodian’s account and download the archive, but this can be problematic. Google is (rightly) very security-conscious when it comes to these archives, and will question this new login and put up a few roadblocks, leading to excessive time being spent getting into the account. It also requires the custodian to give the analyst their password, which we like to avoid for the sake of the custodian’s peace of mind.

A better approach is to have the custodian get together with the digital forensics analyst, at the office of one or the other, with the custodian’s laptop in attendance. The analyst plugs their own external drive into the laptop, and the custodian downloads the archive directly to the analyst’s own external drive. This preserves forensic soundness, as the analyst can attest that they watched the archive go right onto their drive. The analyst then unplugs the drive and the two part ways, with the analyst going off to work on parsing emails, social media activity, and any other data requested by the RFP.

For work emails, the company can provide a .PST (Personal Storage Table) file, a common format for emails. Any decent analyst can readily work with a PST file to inspect emails.

Social media activity

All the large social media platforms provide a method for downloading one’s own data such as posts, comments, likes, and private messages. The process is similar to the Gmail process, with each platform having its own portal for such requests. By and large, the archive isn’t available right away, and the custodian receives an email when the download is ready.

The same process as for Gmail above should be employed to ensure the data is forensically sound, without the custodian having to give up their password or the analyst going through a lengthy (and thus costly) process of logging in on behalf of the custodian.

Instructions for each social media platform can be found by searching on “[platform name] download my data,” but here are links for a few of the popular ones:

• Facebook
• Instagram
• LinkedIn
• Snapchat

Watch activity

Streaming services like Netflix give custodians the ability to download their watch history. While this has rarely been needed on a case, it does come up from time to time.

Time spent on app

As for the amount of time a person spent using an app, this is best measured by their activity on the app such as posts and comments, which can be obtained from the downloaded archive.

There is currently no way to measure how long a person looked at an app, as an app can be left open on a phone while the person puts it down or hands it to another person.

In summary

I hope this guide helps you organize the gathering of data for your case, and in writing your RFPs for speedy resolution.

Some of my clients have been surprised to learn that training in digital forensics includes a sizeable dose of training in Fourth Amendment rights, and the legal aspects of inspecting digital devices.

When I was training in digital forensics at Boston University in 2015, my mobile forensics professor, Dr. Yuting Zhang, particularly stressed to us the importance of knowing and following the law as an investigator and analyst.

This was a key takeaway from my Mobile Forensics & Security class with Dr. Zhang. While the majority of the class curriculum focused on the technology of mobile devices, teaching us file structure, extraction techniques, and approaches to analysis, a good chunk of it was devoted to the laws that we would need to make sure we followed when extracting and inspecting data from digital devices.

Going into the program, I had no idea this was the case — I had assumed that this was the responsibility of the person who handed me the phone or PC for extraction. It turns out that the responsibility falls on all of us in the chain of custody, from the judge who rules on a discovery request and the lawyer who sends me an RFP, all the way down to me.

But once I learned this fact, I grabbed it with both hands and hit the ground running. By the end of class I had memorized the Fourth Amendment to the U.S. Constitution, and was up to date on the still-fast-changing federal and state laws around law enforcement access to mobile devices.

This training has come in handy multiple times. While I’ve never had an attorney ask me to do something the violates the Fourth Amendment, I am regularly asked by lay persons to look at a device that doesn’t belong to them, usually because they suspect their significant other is cheating. I categorically do not take these jobs.

My training also prepared me for situations when, while inspecting data to look for evidence to support (or refute) a particular charge, I might find evidence of a completely different crime, sometimes of a far more serious nature. And, if this happens, that I am to immediately cease inspecting the data, and report it to the attorney who hired me. This has happened only once in my nine-year career, but Dr. Zhang had drummed this into me so thoroughly that I acted without hesitation.

We also engaged in discussions of ethics in class, much like a law curriculum (so I’ve heard). For example, what if we were asked to do a mobile analysis for a defense lawyer on a sexual assault case? Could we take the case and remain impartial, despite the heinous nature of the accusation? What if we think the person is guilty?

My take was that everyone deserves the best defense they can get, regardless of the crime or the evidence at hand. That our job is to get at the truth of the matter. Regardless of whether the text messages or emails or documents were inculpatory or exculpatory, it is our job to find them and include them in a coherent report that the judicial system can use as intended. That we are not the judges here — we are simply delivering information, and our opinion of guilt or innocence is not part of the equation.

At the time this was a bit of a revelation, but I incorporated it into my work as a digital forensics analyst, and I fiercely stand by it today. I have taken on cases of some pretty severe crimes, and I do my part: I deliver the exact and complete information, and let the court decide based on the evidence.

Here’s a selection of questions I get on a regular basis, as a freelance digital forensics inspector and analyst, and specialist.

What does a digital forensics specialist do?

I extract data from cell phones and computers, and analyze it for the purpose of a civil or criminal case. I write up a report on my findings, which may be included as legal evidence for the case.

What training do you have? What are your qualifications?

I have a Master’s Degree in Computer Science with a Focus on Security from Boston University (2017) which trained me on file systems, extraction methods, and the legal aspects of data acquisition and analysis.

Do you take on criminal or civil cases?

I have taken on both criminal and civil cases, with a slight majority (about 60%) being civil cases.

What areas have you worked in most?

The areas I’ve worked in most are:

• Data theft
• Breach of contract
• Wrongful termination
• Insurance fraud
• Child pornography

This is not a complete list, just the highlights.

Who do you work for?

I work on a freelance basis, and only on cases where I feel my services will be of actual assistance.

Do you work for prosecution or defense?

I take both types of cases, but the majority have been defense, largely because the prosecution is often the state and they have their own digital forensics analysts.

What is the process for data extraction?

Data extraction is performed differently on phones and computers.

• Phones: I attach the phone to my computer via a cable, and use software on my forensics computer to pull the data from the phone. This ordinarily takes around 2-3 hours, depending on the amount of storage on the device. Then I return the phone to its owner and perform the analysis on the data I’ve extracted.
• Computers: I attach an external drive to the computer, and extract the data from the computer onto the drive. Then I can return the computer to its owner, and perform the analysis on the data on the drive.

In both types of extraction, the emphasis is on (a) pulling a full and complete data set from the device, (b) performing the analysis on the copy, not the actual device, and (c) returning the device to its owner as quickly as possible, especially in the case of phones.

What is the process for data inspection?

I use software to parse and search the data on the device. This is critical since modern devices often contain many gigabytes of data, and inspecting such a large volume of data manually would take an inordinate amount of time.

My go-to software is Cellebrite Inspector, but I have access to numerous other tools for specific tasks, such as EXIF for photo/image inspection.

Can you testify as an expert?

I have testified in the past, and am always willing to back up any of my work or reports with expert testimony. To back up the veracity of my statements, I have a Master’s Degree in Computer Science with a Focus on Security, and have passed security clearance when needed.

Who can hire you?

I take cases only through lawyers.

One exception is that I will take cases from individuals who have recently lost a loved one and wish to have the data on his/her cell phone or computer analyzed to get more clarity on how and why. In such a case, I will ask for proof that the individual has the rights to the phone or computer.

I most emphatically do not take on investigations of a living spouse’s phone or computer without their permission or a court order, for any reason.

Can I call for a consultation?

Yes! I am always happy to discuss your case, and the role that digital forensics may or may not play in it. The first call (and often the second) is free, and I will give you my honest opinion about whether I can help you, and if not, I will try to point you in the right direction.

What happens if I decide to hire you?

The first thing we’ll do is discuss the scope of the work and come up with a time estimate. Then we’ll sign a short agreement and you’ll pay a deposit, usually 50% of the total estimated.

Then you send me the RFP or court order, and also the complaint. If I have questions about the RFP, we work together to resolve them before I begin work.

Then I provide a list of the tasks to be performed, and a rough time estimate for each. As the work progresses, I keep you apprised of how much time is spent on each step, especially if roadblocks come up that make a step take much longer than expected. We work together to resolve these issues.

I produce a preliminary report for you, and you can request that the report include/exclude privileged or irrelevant data, or request a different format. The goal is a report that you can read, refer to, and use to forward the case.

When the job is done, I return any of the funds not used.

What is your rate?

My standard rate is $300/hr, with a lower rate for longer jobs or repeat business.