Author: Michele Bousquet

When I take on a job, my first ask is for the Request for Production (RFP) or another official, judge-approved document, clearly calling for specific data from specific devices.

In an ideal world I get an RFP with all the particulars spelled out, with each device clearly listed, with date ranges and a keyword list for search, and clear instructions on exactly how I am to obtain these devices (for example, they are already in the attorney’s possession and they will drop them off at my office).

In reality, it usually doesn’t work that way. This is not to throw shade on lawyers or judges — as a digital forensics analyst, I don’t expect that you would know as much as I do about digital devices — but it means that I often have to work with the attorneys (both sides) to nail down exactly what I am to look for and report on.

Show me the complaint

I always ask to see the complaint as an accompaniment to the RFP. This helps me determine that the RFP is on the right track to produce a full and complete report that speaks to the case.

If something doesn’t seem right with the RFP, I will speak up and discuss it with the attorney. Sometimes it’s just a point that I need clarified, and sometimes it means the RFP needs an overhaul.

Data isn’t where you think it is

In another blog post, Where to find data for your RFP, I detail the different places I might need to look to fulfill the RFP. For example, it’s a common misconception that emails are stored on one’s phone, but the best source for a complete picture of email is the email provider. The same is true for social media posts. They might seem to be “on the phone” because you can see them, but in reality, they are stored on the platform’s servers and sent to your phone when you open the app. These posts are never stored on the phone itself.

If the RFP tells me to look on the phone for something that isn’t on the phone, I’ll work with the attorney to get that point clarified in the RFP, and to set up any meetings with the client or data custodian (owner of the accounts) to obtain the additional information.

Keywords must be specified

I have received more than one RFP with vague search instructions such as, “Produce all emails pertaining to Jane Smith’s employment at XYZ company.” What does this mean, exactly? If I’m searching an archive of work emails, wouldn’t 99% of the emails be work-related, and thus “pertaining to employment”?

Ideally, I get a list of keywords to search that speak to the complaint. For example, if it’s a wrongful termination case, a good list of keywords might be:

• employment
• termination
• fired
• disciplinary action
• write-up
• personnel file

This doesn’t mean that these are the entirety of what I will search for — I often go above and beyond to see what I can find. However, if both sides can agree on this list of keywords, it gives me a baseline and a direction.

If keywords are not specified, I will often work with the attorney to come up with a proposed list.

Contacts’ information must be supplied

I have received more than one RFP that called for “all emails between Jane Smith and John Jones” with no email address specified for John Jones. Or it asks for all text messages with John Jones, and no phone number specified.

I can usually find an email address or phone number in the Contacts section, but I have no way of knowing whether there’s more than one email address or number, or whether a different phone number was being used at the time of the alleged crime (which might be several years earlier). Plus, my time spent searching for this information is billable time, which can add up quickly.

If counsel can’t or won’t provide email addresses and phone numbers, all I can do at that point is include in my report the email addresses and phone numbers I did manage to find.

In summary

The more complete and pertinent your RFP, the more I can get on with what I’ve been hired to do — search for data and write a report — rather than spending time in a back-and-forth that ultimately costs your client more money than it needs to.

It is fairly common for me to receive a Request for Production (RFP) with a data acquisition request to obtain “emails from the phone” or “Facebook posts from the phone”. These types of requests require me to educate the attorney (and often, by proxy, the judge) about where different types of data can be found, and that a phone is not the most comprehensive source of emails and social media posts. I don’t mind providing this information — it’s my job! — but to save time, I thought I should write about this as a guide that could come in handy when writing up an RFP.

Mobile Devices

A smartphone might seem to have tons of information on it, but in reality, it holds very limited information:

• Text messages
• Photos taken with the phone, along with date and time stamp
• Phone call logs
• Messages sent/received with chat apps like WhatsApp and Signal
• Email headers (not contents of emails)
• Old/deleted messages, call logs, and photos (to some degree; depends on certain factors)

Information that is usually not on a mobile device, or available only in a very limited capacity, and better sourced elsewhere:

• Email contents
• Social media posts
• Watch activity on YouTube, Netflix, etc.
• How long a user spent on a specific app
• Origin of photos posted to social media
• Logins/passwords for social media apps, banking apps, etc.

To find this other information, it is necessary to go to where this information is stored: on the servers of the app provider.

Emails

To get a comprehensive list of emails, it is necessary to get it from the email server itself.

The most direct approach to get the emails is for the custodian of the email to request to download an archive of all their own emails. For example, if the email account is with Gmail, the custodian can request to download data for their own Gmail account through the Google Takeout service. With the same form, the user can also request data from Google-owned apps like YouTube and Fitbit.

The data is usually not ready right away — Google will email the custodian when the download is ready. However, the custodian must then log into Google with their own account to get the download.

To preserve forensic soundness, it might seem that the analyst should log into the custodian’s account and download the archive, but this can be problematic. Google is (rightly) very security-conscious when it comes to these archives, and will question this new login and put up a few roadblocks, leading to excessive time being spent getting into the account. It also requires the custodian to give the analyst their password, which we like to avoid for the sake of the custodian’s peace of mind.

A better approach is to have the custodian get together with the digital forensics analyst, at the office of one or the other, with the custodian’s laptop in attendance. The analyst plugs their own external drive into the laptop, and the custodian downloads the archive directly to the analyst’s own external drive. This preserves forensic soundness, as the analyst can attest that they watched the archive go right onto their drive. The analyst then unplugs the drive and the two part ways, with the analyst going off to work on parsing emails, social media activity, and any other data requested by the RFP.

For work emails, the company can provide a .PST (Personal Storage Table) file, a common format for emails. Any decent analyst can readily work with a PST file to inspect emails.

Social media activity

All the large social media platforms provide a method for downloading one’s own data such as posts, comments, likes, and private messages. The process is similar to the Gmail process, with each platform having its own portal for such requests. By and large, the archive isn’t available right away, and the custodian receives an email when the download is ready.

The same process as for Gmail above should be employed to ensure the data is forensically sound, without the custodian having to give up their password or the analyst going through a lengthy (and thus costly) process of logging in on behalf of the custodian.

Instructions for each social media platform can be found by searching on “[platform name] download my data,” but here are links for a few of the popular ones:

• Facebook
• Instagram
• LinkedIn
• Snapchat

Watch activity

Streaming services like Netflix give custodians the ability to download their watch history. While this has rarely been needed on a case, it does come up from time to time.

Time spent on app

As for the amount of time a person spent using an app, this is best measured by their activity on the app such as posts and comments, which can be obtained from the downloaded archive.

There is currently no way to measure how long a person looked at an app, as an app can be left open on a phone while the person puts it down or hands it to another person.

In summary

I hope this guide helps you organize the gathering of data for your case, and in writing your RFPs for speedy resolution.

Some of my clients have been surprised to learn that training in digital forensics includes a sizeable dose of training in Fourth Amendment rights, and the legal aspects of inspecting digital devices.

When I was training in digital forensics at Boston University in 2015, my mobile forensics professor, Dr. Yuting Zhang, particularly stressed to us the importance of knowing and following the law as an investigator and analyst.

This was a key takeaway from my Mobile Forensics & Security class with Dr. Zhang. While the majority of the class curriculum focused on the technology of mobile devices, teaching us file structure, extraction techniques, and approaches to analysis, a good chunk of it was devoted to the laws that we would need to make sure we followed when extracting and inspecting data from digital devices.

Going into the program, I had no idea this was the case — I had assumed that this was the responsibility of the person who handed me the phone or PC for extraction. It turns out that the responsibility falls on all of us in the chain of custody, from the judge who rules on a discovery request and the lawyer who sends me an RFP, all the way down to me.

But once I learned this fact, I grabbed it with both hands and hit the ground running. By the end of class I had memorized the Fourth Amendment to the U.S. Constitution, and was up to date on the still-fast-changing federal and state laws around law enforcement access to mobile devices.

This training has come in handy multiple times. While I’ve never had an attorney ask me to do something the violates the Fourth Amendment, I am regularly asked by lay persons to look at a device that doesn’t belong to them, usually because they suspect their significant other is cheating. I categorically do not take these jobs.

My training also prepared me for situations when, while inspecting data to look for evidence to support (or refute) a particular charge, I might find evidence of a completely different crime, sometimes of a far more serious nature. And, if this happens, that I am to immediately cease inspecting the data, and report it to the attorney who hired me. This has happened only once in my nine-year career, but Dr. Zhang had drummed this into me so thoroughly that I acted without hesitation.

We also engaged in discussions of ethics in class, much like a law curriculum (so I’ve heard). For example, what if we were asked to do a mobile analysis for a defense lawyer on a sexual assault case? Could we take the case and remain impartial, despite the heinous nature of the accusation? What if we think the person is guilty?

My take was that everyone deserves the best defense they can get, regardless of the crime or the evidence at hand. That our job is to get at the truth of the matter. Regardless of whether the text messages or emails or documents were inculpatory or exculpatory, it is our job to find them and include them in a coherent report that the judicial system can use as intended. That we are not the judges here — we are simply delivering information, and our opinion of guilt or innocence is not part of the equation.

At the time this was a bit of a revelation, but I incorporated it into my work as a digital forensics analyst, and I fiercely stand by it today. I have taken on cases of some pretty severe crimes, and I do my part: I deliver the exact and complete information, and let the court decide based on the evidence.