Social media, mobile devices & collaboration tools
During most disputes there are dozens of potentially relevant sources of electronically stored information (ESI) from social media, mobile devices, collaboration tools and more.
As the importance of collecting this data continues to grow, so does the number of collections projects we do each week.
Today we want to share some of the highlights of data collection by answering the questions we get asked most frequently.
What all is included in data collection?
A few categories of data most commonly available and requested by our clients are:
- Call logs
- Emails and attachments
- Text messages
- Instant messages
- Pictures and videos
- Location history
- Web browser content
- WiFi connection logs
- Calendar items
- Social media metadata
- File share drives
- Software and business tools like Microsoft Teams and Slack
Why is collecting data so complicated?
Software and hardware manufacturers are in a constant game of cat and mouse with data collection software developers, government agencies, and hackers.
Many of the same back doors that were exploited by law enforcement and private sector data collection software were also exploited by bad actors. To shore up data security against hackers, it is necessary to continually identify and solve security threats within the software and hardware available today.
This cycle of threat identification, fix, and software patch release, creates serious challenges for software developers in the data collection industry.
What factors determine how much useful data we can collect?
There are 3 main factors: time, budget, and access.
- Time: How much time do we have with the device or account? How much time do we have for analysis?
- Budget: What resources are available to meet our goals?
- Access: Do we have physical access to the device? Are we performing a “friendly” collection meaning we have username/password and user/owner cooperation? Is the person deceased?
Can you collect deleted information from my mobile device?
It depends, but we do have questions that help us determine the feasibility of recovering deleted information from these devices.
- What model of phone or tablet are we collecting from?
- What version of iOS or Android is it running?
- Do we have physical access to the device?
- Do we have cooperation from the account owner?
Depending on the answers to these questions, the likelihood of data recovery will differ greatly.
In short, data recovery from newer devices and updated operating systems is much more difficult than on legacy devices and older software versions.
In most cases, recovery of deleted information is an expensive and time-consuming endeavor.
Recovering deleted data quickly and inexpensively is becoming harder every day.
Can you show the location of the user when X occurred?
Assuming the phone and software are in standard working form: Yes.
Each event on a phone (text sent, picture taken, message received) is logged. This log entry includes the time and location of the user when the event occurred.
Can I get a download of everything this person has posted on social media?
Most of the data collection software on the market is geared toward doing a collection of publicly available information.
As long as we have access to this person’s account, we can collect all posts that remain at the time of the collection.
If the custodian has deleted tweets/posts, they cannot be retrieved by any publicly available software.
There are some websites that archive Twitter and Facebook in (close to) real time. This means that if you know the date and time that the post existed, you may be able to find the deleted post. However, their admissibility is far from universal.
Can you show what content/pictures this person liked/commented on on social media?
This is platform specific and depends on our access. Some platforms make it easy to review, and capture, a user’s entire activity history. In all cases, this requires that you have the user credentials that only accompany a “friendly” collection.
If you are collecting information on someone who has not granted you username and passwords, your options are limited to a more manual process of secure screenshots. Just like it sounds, we browse web content using specialty software and take secure screenshots of the content that includes a chain of custody and an affidavit to prove the existence of the content. This process is more time consuming and costly.
Can you get chat logs from Instagram/Facebook messenger?
In “friendly” collections, the answer is usually yes. With a current username/password and the cooperation of the account owner, the process is fairly simple.
The answer is no if we don’t have the username and password to at least one party of the message communication. In cases like that, you would need to work within the framework of each platform to subpoena information.
Can we collect data from platforms like Microsoft Teams and Slack?
The short answer is yes. These tools have native export capability, some more robust than others.
Microsoft Teams has a robust search/export function through their built-in eDiscovery and Compliance applications.
Slack doesn’t have these capabilities built in natively, but there are many 3rd party eDiscovery tools that allow for collection from Slack with access to their discovery API.
Prior to collection, we recommend discussing the parameters of potentially relevant discovery for the purposes of limiting scope as much as possible. Discuss things like date ranges, specific users, specific channels or sites, etc.
Think about data collection early in a case.
Bottom line: A lot of things are possible. Money, time, and cooperation make things easier. And the sooner you plan, the better off you will be.
Complete Legal is one of the only eDiscovery companies in the region with our own forensics team.
We take great pride in not offering a pre-set, “take it or leave it” solution to anyone. We focus on each case as its own entity, as we understand that solutions can vary greatly from case to case.