We frequently get questions on Apple/iOS devices in the context of commercial and family law litigation, and the production of data in e-discovery. Rightfully so, because it can be confusing. Most attorneys now know that when there is a litigation hold implemented or an investigation is pending, the Apple iOS device itself (and any passcode thereto) needs to be retained and isolated for forensic extraction and processing if the attorney deems relevant data to be on the device.
However, consideration must also be given to what USED to be on the device, i.e., deleted data. There are typically three primary ways this deleted data is obtained. The first is, obviously, through the DEVICES themselves. Although Apple’s security on the newer iPhones (4S and above) prevents recovery of some deleted data, current forensic tools allow for the extraction of deleted Contacts, iMessages, SMS messages, call records, and Apple Notes. Retaining the device for forensic analysis, as noted above, will allow the attorney to retain, preserve and process this data.
It is important to note here that some individuals who own multiple iOS devices unintentionally configure more than one iOS device to receive copies of the same iMessages (this is an intentional feature by Apple even if implemented unintentionally… to properly configure this to work, see here, among other articles on the topic: http://www.igeeksblog.com/how-to-set-up-imessage-on-multiple-devices/).
Needless to say, this may expose otherwise private communications to a third party, which may become the genesis of litigation itself. However, it also creates the possibility that data deleted on other Apple devices may then be recoverable on a secondary device receiving the same iMessages. Be sure to ask the client for all digital devices to allow a forensic professional to evaluate and to account for (or rule out) this possibility. “Devices” includes Apple devices not running iOS (such as Macs and MacBooks) that may have the iMessage feature enabled on the device.
The second way that data may be obtained is through the CLOUD, specifically Apple’s “iCloud”, if the data on the device was backed up during the relevant time period. If enabled, iCloud backups typically occur each time that an iOS device is plugged in, charging, and connected to WiFi.
So as not to disturb the primary iOS device of an individual (after all, the fact that a message was deleted may later become relevant in and of itself), restoring from iCloud to a clean Apple device is the best practice, leaving the device itself in its original state. Then, whatever has been backed up to iCloud but possibly lost or deleted in the interim (messages, emails, contacts, images or videos), should be restored to that new, clean Apple device.
Apple also appears to provide iCloud backup files to law enforcement pursuant to legal process, and there are forensic tools that will allow for processing of a native iCloud file provided directly by Apple. This will generally not be the case in civil matters, however. There are commercial platforms that will allow for the download/viewing of contents of an iCloud backup without requiring an Apple device. A good example of this is the web service Teensafe (www.teensafe.com), which, until the recent rollout of iOS 8, was even able to derive deleted text messages from an iCloud account for the purposes of parental monitoring of adolescents. There is, also, of course, logging in to www.icloud.com and viewing the available data, but more data is typically retained in a true iCloud backup than what is readily viewable on Apple’s iCloud web interface.
Third, and finally, even fewer attorneys and e-discovery professionals realize that Apple’s ITUNES program can also create backups of iOS devices and store them on a computer, whether running Mac or Windows, when an iOS device is connected to that computer and synced with iTunes (such syncing may also leave a special file that can break the passcodes on the iPhone 4S and above, but that is a topic for another post). These Apple backup files keep the data on that iOS device dating to the last time the device was backed up to that computer, so, if a backup was done on Monday, and messages deleted from the device on Thursday, on Friday, that iTunes backup could be parsed with a forensic tool to capture the lost messages stored on the computer. These iTunes backup files can be isolated, extracted, preserved and processed by a forensic professional, with a similar final work product as the professional could have produced on an iOS device itself.
So, in summary, when dealing with iOS devices and looking for potential places that data could be stored, think: 1) DEVICES, 2) ICLOUD, and 3) ITUNES when conducting your investigation. While no two cases are alike and it may not get you 100% of the way in every case, failing to look in each of these places may omit critical data not available elsewhere. CW