When computer forensics was in its infancy, examiners collected evidence from disks by copying their contents byte-for-byte to matching, sterilized disks, creating archival and working copies called “clones.” Cloning drives was inefficient, expensive and error prone compared to the imaging processes that replaced it. Yet, disk cloning worked for years, and countless cases were made on forensic evidence preserved by cloning and examined on cloned drives.
Now, cloning may be coming back; not to preserve hard drives but to collect data from mobile devices backed up online, particularly Android phones. If I’m right, it will be only a stopgap technique; but, it will also be an effective (if not terribly efficient) conduit by which mobile data preserved online can be collected and analyzed in discovery.
Case in point: Google’s recently expanded offering of cheap-and-easy online backup of Android phones, including SMS and MMS messaging, photos, video, contacts, documents, app data and more. This is a leap forward for all obliged to place a litigation hold on the contents of Android phones — a process heretofore unreasonably expensive and insufficiently scalable for e-discovery workflows. There just weren’t good ways to facilitate defensible, custodial-directed preservation of Android phone content. Instead, you had to take phones away from users and have a technical expert image them one-by-one.
Now, it should be feasible to direct custodians to undertake a simple online preservation process for Android phones having many of the same advantages as the preservation methodology I described for iPhones two years ago. Simple. Scalable. Inexpensive.
But unlike the iOS/iTunes methodology, Android backups live in the cloud. At first, I anticipate there will be no means to download the complete Android backup to a PC for analysis. Consequently, when we must process the preserved data for litigation, we may need to first restore the data to a factory-initialized “clean” phone as a means to localize the data for collection. That’s not to say that Google won’t eventually offer a suitable takeout mechanism; after all, Google Takeout capabilities are second to none. But, until we can backup Android content in a way that it can be faithfully and intelligibly retrieved directly from Google, examiners may revive the tried-and-true cloning of evidence to clean devices then collecting from the restored device. Everything old is new again.
It won’t be so bad to use this stopgap approach considering that e-discovery typically entails preservation of far more mobile sources than need ultimately be processed. So, while backing up many online and cloning a few to clean phones certainly isn’t a perfect solution for Android evidence, it’s good enough and cheap enough that courts should give short shrift to parties claiming that preserving phone evidence is unduly burdensome or complex. For, as my e-discovery colleagues love to say, “Perfect isn’t the standard.” I agree. But, neither is the standard, “we couldn’t be bothered, judge.”