When computer forensics was in its infancy, examiners collected evidence from disks by copying their contents byte-for-byte to matching, sterilized disks, creating archival and working copies called “clones.” Cloning drives was inefficient, expensive and error prone compared to the imaging processes that replaced it. Yet, disk cloning worked for years, and countless cases were made on forensic evidence preserved by cloning and examined on cloned drives.
Now, cloning may be coming back; not to preserve hard drives but to collect data from mobile devices backed up online, particularly Android phones. If I’m right, it will be only a stopgap technique; but, it will also be an effective (if not terribly efficient) conduit by which mobile data preserved online can be collected and analyzed in discovery.
Case in point: Google’s recently expanded offering of cheap-and-easy online backup of Android phones, including SMS and MMS messaging, photos, video, contacts, documents, app data and more. This is a leap forward for all obliged to place a litigation hold on the contents of Android phones — a process heretofore unreasonably expensive and insufficiently scalable for e-discovery workflows. There just weren’t good ways to facilitate defensible, custodial-directed preservation of Android phone content. Instead, you had to take phones away from users and have a technical expert image them one-by-one.
Now, it should be feasible to direct custodians to undertake a simple online preservation process for Android phones having many of the same advantages as the preservation methodology I described for iPhones two years ago. Simple. Scalable. Inexpensive.
But unlike the iOS/iTunes methodology, Android backups live in the cloud. At first, I anticipate there will be no means to download the complete Android backup to a PC for analysis. Consequently, when we must process the preserved data for litigation, we may need to first restore the data to a factory-initialized “clean” phone as a means to localize the data for collection. That’s not to say that Google won’t eventually offer a suitable takeout mechanism; after all, Google Takeout capabilities are second to none. But, until we can backup Android content in a way that it can be faithfully and intelligibly retrieved directly from Google, examiners may revive the tried-and-true cloning of evidence to clean devices then collecting from the restored device. Everything old is new again.
It won’t be so bad to use this stopgap approach considering that e-discovery typically entails preservation of far more mobile sources than need ultimately be processed. So, while backing up many online and cloning a few to clean phones certainly isn’t a perfect solution for Android evidence, it’s good enough and cheap enough that courts should give short shrift to parties claiming that preserving phone evidence is unduly burdensome or complex. For, as my e-discovery colleagues love to say, “Perfect isn’t the standard.” I agree. But, neither is the standard, “we couldn’t be bothered, judge.”
Ball in your Court 
Kashif said:
Agree, cloning to a clean phone may be a reasonably simple way to review data but it may be hindered by the uncountable numbers of Android device / manufacturer specific derivative. If the handset maker did not stick to stock google android applications and for example used an own dialer or messaging app (I am looking at you Samsung), it already makes things complicated (beside the fact that these specific apps and their data may not even be backed up by the Google One solution).
On the flip side, it would be too easy otherwise…
LikeLike
craigball said:
I thought about that. It’s absolutely a valid concern and examiners will need to know the impact of their choice of target phone insofar as it differs from the source evidence. We faced this in disk cloning, too, because the geometry of target disks often had to vary from the evidence disks. Imagine how difficult it was to obtain drives with identical geometries back when physical disk geometry was still a “thing.” My response is, “what’s your better alternative?” No preservation at all? I don’t regard ‘not preserving at all’ as a superior alternative to preserving robustly with the possibility that you may not recover every byte preserved.
I’m not pointing a finger your way; but lately there are two teams competing in e-discovery: The Blue Team wants evidence preserved and seeks solutions and accountability. The Red Team prefers it go away and seeks justification to do nothing and immunity from spoliation. When did everybody in the e-discovery community start playing for the Red Team?
LikeLike
clarkkent247 said:
Agree, cloning to a clean phone may be a reasonably simple way to review data but it may be hindered by the uncountable numbers of Android device / manufacturer specific derivative. If the handset maker did not stick to stock google android applications and for example used an own dialer or messaging app (I am looking at you Samsung), it already makes things complicated (beside the fact that these specific apps and their data may not even be backed up by the Google One solution).
On the flip side, it would be too easy otherwise…
LikeLike
Pingback: Atkinson-Baker | Preserving Android Evidence