- Crime Lab
- Crime Scene
- Death Penalty
- Digital Forensic Insider
- Digital Forensics
- Evidence Collection
- Expert Forensic Voices
- Forensic Anthropology
- Forensic Psychology
- Impression Evidence
- Medical Examiner
- Mobile Forensics
- Police Procedure
- Sexual Assault Investigations
- Witness Testimony
Short Message Service (SMS) is Not Just for Teenagers Anymore
As mobile device usage and capabilities increase, the importance of these gadgets as potential sources of electronically stored information (ESI) becomes undeniable. The more we rely on these accessories as vehicles for business communications and entertainment, the more data we create and consume. For every additional bit and byte that is born in the ether, there is a heightened chance that the information will become fodder for electronic discovery (eDiscovery). Despite this increasingly large amount of information, marooned mobile device data can provide a number of unique hurdles throughout the litigation life-cycle. Every step could potentially expose variables and scenarios that challenge even the most experienced eDiscovery counsel and technicians. The challenge is amplified by the sheer number of different device models available in today’s competitive, lucrative, and growing mobile communications market. Each device, from pocket-sized mobile phones to tablets ranging in size from a paperback thriller to a traditional manila folder, can foster its own unique eDiscovery complications.
For law firms and corporations, the challenge is not to understand the technical architecture of each and every device, but rather how the devices used by your custodians generate and manage data. Once an organization maps an inventory of its own unique portfolio of cell phones and tablets, a consistent and repeatable process should be instituted to ensure data is properly identified, preserved, and considered for use in internal investigations, regulatory and law enforcement scenarios, and eDiscovery proceedings. Thankfully, enterprise technology usage policies and data retention schemes are more ubiquitous today than in years past, and the approach to information governance should be no different with mobile devices. In the same way that email evolved into a convenient way to conduct a conversation without involving the US Postal Service or a telephone, short message service (SMS) messaging has become a more widely accepted and legitimate mode of communication for businesspeople and teenagers alike.
Early efforts at preserving and producing SMS messages from flip phones and BlackBerrys were commonly avoided with an excuse of undue burden and cost. However, as mobile technology becomes cheaper, more ubiquitous, and even wearable, litigants who unilaterally determine that these short communications are inaccessible do so at their own peril. The best offense is a great defense and the same applies to governance of mobile communications. This guide will help you engineer proactive policies and preservation plans around SMS messaging, one of today’s most popular ways to communicate.
Mobile Device Usage is Not a Fad
The increased use of mobile devices is no secret and the numbers clearly support the essentially universal adoption we used to associate with traditional land-line telephones. In 2011, only 17% of the global population was without at least a basic mobile phone; by 2013 the “off-the-grid” population fell to 9%. Furthermore, during the same period of time, the adoption of smartphones, which have features resembling a personal computer such as email connectivity, digital cameras, and GPS location functionality, jumped from 35% in 2011 to 56% in 2013.1 2013 marked the first year where over half of the world’s population owned a smartphone, a development that shows no sign of slowing.
It should be no surprise that the smartphone proliferation has led to a fundamental change in how people access and interact with their data and each other. A hearty 17.1% of global web usage comes from mobile sources, up from 11.1% in 2012.2 It would certainly not be unreasonable to suggest that number will rise, given the globe’s insatiable demand for technology and the ever-connected lifestyle.
All of these trends provide an important bellwether for eDiscovery, which closely associates the increase in mobile device usage with an increase in ESI generated from mobile sources. More business meetings and routine correspondence are being conducted on the go, the nearly permanent records of which are potentially relevant to any number of litigation scenarios. Forty-three percent of users open emails from their mobile devices, a 33 percent leap from 2011, and that trend comes at the expense of reading email on desktop computers, which is down from 58% to 32%.3
Combine email with SMS messaging and it becomes clear that mobile phones and tablets are thorny ESI caches that organizations need to be aware of in the event of litigation. Ninety-two percent of US smartphone owners use SMS messaging, and those users send an average of 111 messages per week.4 Corporations need to understand how these messages and emails are stored in order to institute appropriate usage, retention, and incident response policies.
Data Retention Issues and Recent Case Law
Recent judicial experiences are littered with examples of litigants grappling with issues of mobile device preservation. For example, while allowing discovery of class members’ social media, text messages, and email in EEOC v. The Original Honey Baked Ham Company of Georgia Inc. (Feb. 27, 2013), Magistrate Judge Michael E. Hegarty opined, “if there are documents in this folder that contain information that is relevant or may lead to the discovery of admissible evidence relating to this lawsuit, the presumption is that it should be produced. The fact that it exists in cyberspace on an electronic device is a logistical and, perhaps, financial problem, but not a circumstance that removes the information from accessibility by a party opponent in litigation.” It is clear that arguments around inaccessibility, burden, and even privacy will fall on deaf ears when it comes to preservation and collection of relevant ESI no matter where it resides.
Garcia v. City of Laredo (Dec. 12, 2012) saw The United States Court of Appeals for the Fifth Circuit confirm the Texas district court’s opinion that mobile phones do not fall under the protections afforded by the Stored Communications Act (SCA) of 1986. The SCA sought to extend fourth amendment rights to information carriers such as Internet Service Providers (ISPs) to protect them against unreasonable search and seizure. Plaintiff unsuccessfully argued that the City of Laredo violated the SCA by accessing information stored on her mobile phone without her permission. Circuit Judge W. Eugene Davis concluded that a mobile phone is not a facility through which an electronic communication service is provided and that only “electronic storage” that is provided by an electronic communication service is within the scope of the SCA. In other words, data stored on the physical device itself is not protected, but data hosted by, or in transit through, a communication provider such as Verizon or AT&T falls under the SCA’s scope.
Case law about spoliation of workstations, email, and accounting data is already well documented, but decisions around mobile device preservation are starting to take center stage. In the matter of Christou v. Beatport, LLC (D. Colo. Jan. 23, 2013), Defendant failed to preserve text messages on an iPhone that allegedly was lost or stolen approximately eight months after preservation letters were exchanged. Defendant maintained that sanctions were not warranted because no relevant text messages existed on the device, a point which Plaintiff dismissed because there was no indication “…that defense counsel reviewed [Defendant’s] text messages and determined that they contained nothing of relevance.” Although Judge R. Brooke Jackson did not grant an adverse jury instruction, spoliation sanctions were warranted and Plaintiffs would be allowed to produce the legal hold letter at trial and argue “whatever inference they hope the jury will draw.”
In a more recent matter, Judge Francisco A. Besosa delivered an adverse inference instruction in the matter of Calderon v. Corporacion Puertorrique a de Salud (D.P.R. Jan. 16, 2014) for the “conscious abandonment of potentially useful evidence.” The evidence in question in this harassment and discrimination case was a series of SMS messages and emails between the plaintiff and the alleged harasser. Defendants argued that Plaintiff’s admission that some of the communications had been deleted, while others were, warranted case dismissal. Defendants were able to preserve and produce communications among the parties that Plaintiffs also should have preserved and produced, but did not. Although Judge Besosa concluded that spoliation by Plaintiffs was not “particularly egregious or extreme,” he did note that after spoliation is determined, “…the Court enjoys considerable discretion over whether to sanction the offending party.”
Implementing a Mobile Device Management Policy
These cases alone justify the creation of a mobile device management (MDM) policy and incident response plan well in advance of litigation or regulatory events. Together, they establish that electronic communications of all kinds are considered accessible by the courts and will not be afforded certain expectations of privacy. Prior to enacting a mobile device management policy, an organization must know exactly what devices it has, or will have, in order to better understand the hurdles unique to each manufacturer or operating system. Consider the following storage systems, retention schemes, deleted item recovery options, and preservation options for some of today’s most popular mobile devices when formulating a mobile device management strategy or responding to a preservation trigger.
Method of SMS/MMS/Chat Storage: Apple devices such as the iPhone and iPad employ variations of the Apple Darwin operating system which was later branded as the “iPhone OS” and ultimately shortened to simply “iOS.” Apple devices currently store text message information inside a special-purpose SQLite database appropriately named “SMS.db.”5 When iOS 5 emerged in 2011, Apple added a special iOS-to-iOS messaging feature called iMessage. Although iMessages do not transmit via the Short Message Service (SMS) protocol, iMessages are also stored within the SMS.db structure.
Retention Scheme: With iOS 5, Apple capped the messaging database to 15 megabytes, or approximately 75,000 text messages.6 Once the limit is reached, the user receives a warning that his or her “SMS mailbox is full”7 and the user should delete messages in order to free up space. More recent iOS versions have expanded storage limits, but there is no retention menu built into the operating system to allow the user or an administrator to expire messages after a certain time or based on certain rules. Thus, messages are retained until the user deletes them or until the SMS database limit is reached, whereupon no additional messages can be stored, dependent again on the iOS version in use.
Deleted Item Recovery: When a user deletes a message, that message is simply flagged in the SMS database to be hidden from the user’s view. There is no evidence to suggest that the iPhone or iPad will automatically delete or overwrite messages, although a periodic “vacuum” routine purges deleted records from the SMS database. The vacuum occurs at “page level” in digital storage terms and one page of storage space generally holds up to four kilobytes of data. If every single SMS record stored on a particular page of memory has been marked for deletion, the records are permanently deleted; if there is even one single “active” message on that page, the entire page will remain intact. This can result in an anomaly where relatively older deleted messages are forensically recoverable, but more recently deleted messages are not recoverable because they happen to a memory page that contains only deleted messages.
iOS also features device-wide indexing and searching. Users may find on occasion that previously-deleted text messages are still visible when performing a Spotlight search because the content has not been fully purged from the Spotlight index. It is also possible to search unallocated space on an iOS device; however, if the device is equipped with file-level encryption, unallocated space may be completely inaccessible because the keys used to encrypt the data at the time it was created have been discarded.
Legal Hold & Preservation Options: Although Apple does not provide a central, enterprise-level Mobile Device Management (MDM) suite of tools, iOS comes equipped with an MDM programming interface which allows an organization to use third party tools to manage the devices. The MDM interface can be used to enforce security, usage, and configuration policies on the devices. It cannot, however, be used to view calendar entries, contact information, SMS or iMessage content, photos, call logs, or GPS information. Currently, there are no central administrative tools that can force SMS messages to expire or be deleted from an iOS device; even if such a management tool existed, expired messages may still be recoverable using forensic tools.
If an organization wishes to catalog or retain the user-generated content of an iOS device, they must either obtain a backup of the device via iTunes (or a third-party alternative), receive user consent to access iCloud backup storage, or deploy forensic tools to capture a device-level or file system level image. Alternatively, there are third-party applications that can be used to simply extract the SMS, iMessage, or other targeted data from the device when connected to a laptop or desktop computer. Although many of these tools are quite robust, they may fall short of a true enterprise solution and the demands of eDiscovery or law enforcement.
Android Devices (Samsung Galaxy Family of Devices)
Method of SMS/MMS/Chat Storage: A recent IDC study revealed that Google’s Android operating system holds a hearty 80% share of the global mobile device operating system market.8 The increasingly popular Samsung Galaxy S3, S4, Tab, and other Android devices running the Jelly Bean operating system (versions 4.1.x to 4.3.x) store messages in a dedicated SQLite database named “mmssms.db.”9 This database is inaccessible outside of the Android application environment unless the user has obtained “root access” on the device, which would open gates to the system’s privileged files.
Retention Scheme: By default, the S3 and S4 retain 200 SMS and 20 Multimedia Messaging Service (MMS) messages per conversation.10 In addition, the devices automatically convert SMS messages longer than 800 characters into MMS messages. Once these thresholds have been exceeded, the device’s automatic deletion policy is activated to erase the oldest messages. However, these settings, with the exception of the MMS conversion process itself, are configurable and can be controlled individually or by using a third party MDM suite. The device will continue to operate up to these limits with each new conversation as long as storage is available. If the device’s free storage space falls to 10 megabytes or less, depending on the particular device and Android version, the device will register a “full memory” notification and prompt the user to delete messages or other files.11
Deleted Item Recovery: Currently, there are several third-party programs that offer deleted item recovery both as Android applications and desktop software. Due to the wide variety of Android devices and marketing-focused software modifications by wireless carriers, these applications are device-specific and the results vary greatly depending on the version of the operating system, how much storage is remaining, and the time elapsed since deletion of the items. As free storage is re-allocated to new data, the remnants of these deleted files are over-written. Forensic tools are also available to attempt recovery of items from within the device’s various SQLite databases, similar to widely used methods to recover corrupt or deleted data from Microsoft SQL Server running on physical Windows servers.
Legal Hold & Preservation Options: Samsung and, by extension, the family of Galaxy devices, have deployed a bundled set of corporate-friendly features such as device encryption, VPN access, and a secure implementation of Microsoft Exchange ActiveSync. Known as Samsung For Enterprise (SAFE), the MDM toolkit allows enterprise security officers to rest assured that their users’ Samsung devices are “enterprise ready.” This designation allows for enterprise-level MDM through one of Samsung’s third-party software partners, which include Mobile Iron, SAP, and AirWatch.12 Accordingly, a “sandbox” can be established on the device using the pre-installed Samsung KNOX security environment which provides enterprise administrators with secure, IT-complaint access to large numbers of devices including bring-your-own-device (BYOD) participants. In fact, early in 2013, the US Department of Defense approved the use of Android devices that are managed under the KNOX umbrella.
After configuring the KNOX sandbox environment, enterprise-level policies can be translated into globally-applied email, application, SMS, and Internet browsing configurations. These policies can be used to establish application requirements or restrictions along with the same type of controls that already exist for operating system and software updates. Although devices can be wiped, tracked, or powered down from a central management console in the event of loss or theft, current MDM solutions do not provide the ability to remotely collect or preserve text message content to respond to a legal or compliance request.
BlackBerry Devices / BES
Method of SMS/MMS/Chat Storage: Like many other mobile devices, BlackBerry smartphones store data within multiple special-purpose databases on the device’s storage system. In fact, there are over 120 databases on the latest BlackBerry models that store everything from the Address Book to Internet browsing history and GPS coordinates.13 The BlackBerry also stores its messaging data, including PIN, SMS, MMS, and RIM’s proprietary BlackBerry Messenger (BBM) messages in such databases. Much of this data can be logged, archived, or both from the BlackBerry Enterprise Server (BES) management environment.
Retention Scheme: By default, most BlackBerry messages including email and SMS messages are retained on the device for up to 30 days depending on the device’s model number. In an enterprise environment, email retention is governed by the policies set forth on the Exchange or Lotus Domino servers; therefore, an email purged from the device after 30 days will likely remain in the user’s mailbox on the email server or within the company’s email archive system.14 However, SMS messages that are deleted by the user or auto-deleted based on their age are likely not present in any other storage system and, as a result, present a unique ESI preservation challenge. Once they are purged from the device, SMS messages are potentially only recoverable by use of mobile device forensic software. To prevent auto-deletion, the user or administrator may set the message retention period to “forever,” although large SMS, MMS, and BBM databases can result in a slower user interface experience.
Deleted Item Recovery: Because SMS and other messaging data are stored within multi-purpose databases on the BlackBerry device and pressing the “delete” button simply “hides” the messages from the user’s view, there exists a potential for recovery of deleted items. The only theoretical limit on the number of messages stored in the SMS database comes from the storage capacity of the device and the relative size of the messaging database. The BlackBerry operating system decides when previously-deleted data will be overwritten with new data, including within the SMS database. In a data preservation or recovery scenario, the quicker the device is acquired the better the chances of recovering previously-deleted messages.
Legal Hold & Preservation Options: The BlackBerry Enterprise Server is capable of logging and archiving PIN, SMS, MMS, and BBM messages. The administrator can configure the system to capture both the metadata for each message (sender, recipient, date/time, etc.) and the actual content. Under no circumstances, however, will the BES server record or capture pictures sent via any of these protocols. Options for ongoing retention include logging, content archiving, or both. The organization can then set policies around how long, and under what conditions, those logs and content will be kept. GPS information can also be cataloged, but the managing organization must evaluate the potential benefits (asset loss prevention, safety of personnel) against the potential risks (personal privacy).
Another option for BlackBerry devices is the use of the BlackBerry Desktop Manager (BDM) or BlackBerry Link depending on the version of the device. This is the primary method by which a user or administrator can create either a full, or selective, backup of the device. Under a full backup, the entire device is captured to a file on a PC or Mac; with a selective backup, the user can be more specific about which data is captured in the backup. Although the SMS and other messages captured in the backup are not viewable directly from the BDM or Link interface, there are several third-party applications that can access and extract individual content types as well as attempt to recover previously-deleted items.
An organization may choose to have users or local IT administrators perform BDM or Link backups of devices in a regulatory, audit, or litigation scenario. Such backups can be copied to a central location from the user or administrator’s PC and retained for the necessary legal hold duration. A more defensible, but more costly, option is to acquire a physical or logical forensic image of the target devices and extract the required data using industry standard forensic toolkits.
Windows Phone 8
Method of SMS/MMS/Chat Storage: Messages on Windows mobile devices are stored within a Microsoft Embedded Database (EDB) labeled “CEMAIL.VOL” which is the same method of storage implemented for email messages within the Microsoft device. SMS messages also reside in a more familiar folder structure at Windows\Messaging. However, both of these databases are inaccessible by the user outside of the Windows application environment, as the operating system prevents read access rights by utilizing a layer of hardware abstraction.15
Retention Scheme: By default, messages are stored until the device falls short of free storage space. To prevent data loss and storage issues, users can deploy their cloud-based Microsoft SkyDrive account as an on-demand backup solution. Once a user links their SkyDrive account to the device, the default configuration backs up all current and future text messages in a manner similar to email journaling. Message databases can be moved to external SD cards, which allows for a potentially large volume of messaging information to be stored on a removable piece of media. “Low memory” notifications occur once the device reaches a critically low level of available storage. The exact threshold of storage needed to trigger this notification depends on native device storage, SkyDrive syncing, and SD card storage. Once the phone and its accompanying alternative storage options are full, the device will be unable to receive or send messages until storage space is freed up.
Deleted Item Recovery: Third-party tools for recovering deleted messages from Windows Phone 8 currently have limited utility. Although the names of deleted files are fairly easy to recover, it is difficult to actually recover the contents of such files the operating system has back-filled with meaningless binary codes. Windows Mobile creates temporary files in various locations throughout the device that can provide useful information regarding deleted files, but the only way to examine these files is through the use of specialty forensic tools. Although there are limited deleted item recovery options, SkyDrive can be set to sync all messages to a user’s account if they have linked their account with their Windows Phone. If this function has been enabled, old messages deleted locally on the device may still be available via SkyDrive. Messages are generally stored as text files and can be viewed with any text editor, MS Word, and in some cases directly online via Office 365.
Legal Hold & Preservation Options: Windows mobile devices are easily deployed and managed through a number of third-party MDM suites such as AirWatch and Sophos Mobile Control. However, like the iOS platform, the Windows MDM API does not allow administrative access to personal information such as SMS messages and pictures, leaving administrators and legal teams with few options to enact a legal hold. If the user chooses to back up their personal data to SkyDrive, remote preservation and collection are possible from the cloud with user consent. Backups of the physical device can be made through Microsoft’s Zune software and a number of third-party desktop tools; however, these tools may not be as defensible as a forensic collection suite such as Cellebrite, which wireless carriers like T-Mobile use to transfer users’ data between devices. The time it takes to acquire a physical device and capture a backup or image leaves the organization at risk of spoliation due to the fact that mobile devices are easily broken, lost, or stolen before acquisition occurs.
Planning for SMS Discovery
As consumer technology becomes increasingly present in the corporate environment, a proper information governance strategy is paramount to ensure valuable business information is retained while stale data is purged to reduce legal and regulatory risk exposure. Today’s ever-connected, mobile worker generates an ocean of discoverable ESI that is essentially stored in their pocket or purse and likely falls just outside the sphere of administrative control. Initially a communication tool popular with teenagers and college students, SMS messaging is now a mature and ubiquitous collaboration channel. Recent case law suggests this data, and SMS messages in particular, are no longer unduly burdensome to preserve and collect. Although the number of devices, operating systems, and third-party tools present a dizzying array of consumer and business options, organizations of all sizes must carefully examine the intersection of governance policy and mobile device management options.
D4 is a national provider of electronic discovery, digital forensics, information security and management, and deposition services to law firms and corporations, and has been instrumental in helping customers realize up to a 70% cost reduction over previous eDiscovery solutions. At D4, we focus on technology and process to streamline the discovery life-cycle in the most defensible, practical and cost-effective manner possible. Founded in 1997 in Upstate New York, D4 has grown to a national presence. With over 160 employees, D4 has offices in Buffalo, Chicago, Detroit, Grand Rapids, Lincoln, New York City, Omaha, Orlando, Phoenix, Rochester, San Francisco, San Diego and Tampa. D4’s state-of-the-art Tier 3 data center and operations in Rochester are complemented by electronic discovery, digital forensics and paper document services in other offices across the country. D4 has been recognized by Inc. Magazine as one of the fastest-growing private companies in the US, and is a three-time Inc. 500/5000 honoree. www.d4discovery.com