The following article was authored by Robert Fried, SVP of Forensics and Investigations at Sandline Discovery and published within the May/June 2021 edition of PI Magazine. Beginning with the July/August issue of @PIMagazine, a new department, Cybersleuthing, will feature articles with a focus on relevant and current topics in the world of digital forensics. Robert Fried, will lead the charge as author or co-author articles, with colleagues from Sandline Discovery and other thought leaders from the digital forensics community.
B.Y.O.D Policies; When a Personally Owned Device Contains Potentially Relevant Data
In recent years, many organizations have implemented a Bring Your Own Device (BYOD) policy. This relatively new trend provides employees of an organization the opportunity to use their own devices, instead of an issued device, to connect to clients, colleagues, corporate systems, and resources, for the purpose of conducting business. The following devices are often included in an organization’s BYOD policy: computers, mobile devices (smartphones and tablets), and external media. What happens when data from these devices is potentially relevant to a litigation matter or investigation?
IT MAY NO LONGER JUST BE PERSONAL
As an investigator, it is important to understand the difference between a corporate issued device and a personally owned device. Corporate-issued devices are provided by an organization to eligible employees. To help manage financial budgets and device maintenance, the information technology team within an organization typically has oversight of the devices that are issued. In addition, many organizations limit the types of programs or apps that can be installed on the devices. A personally owned device, on the other hand, is a device that is owned by the employee. Often, organizations with a BYOD policy provide a stipend to assist with the cost of the device or fees incurred by a service provider associated with the usage of the device. An individual may have both a corporate-issued device and a personally owned device. At first thought, carrying around two devices may seem redundant or burdensome; however, doing so provides individuals with a separation between their business data and personal data. The reality is, if a personal device is used to conduct business, it may contain data that is potentially relevant to a litigation matter or an investigation, and therefore, subject to preservation, collection, review, and production.
THE REWARDS AND THE RISKS
A BYOD policy offers several advantages, including:
- Employees can choose the device that they want and are comfortable using.
- Employees can choose a device with the latest technology.
- Organizations can save on costs associated with the purchase and distribution of the devices.
A BYOD policy, however, may bring with it some disadvantages, including:
- The introduction of foreign devices onto the organization’s systems and resources.
- Differences in the makes and models of devices being utilized across the organization.
- Diversification of software that is installed or being utilized on devices.
Although BYOD policies provide benefits, it is important for everyone in the organization to also weigh the potential issues and challenges that are likely to arise.
Individuals will be able to have more flexibility when utilizing a personally owned device; however, the organization may have to purchase and implement security solutions to protect its data, systems, and resources. Mobile Device Management (MDM) and encryption solutions may need to be utilized to help protect and manage data on the device. These solutions often have an impact, if there is ever a need to collect data from the device. It may be necessary to work closely with the Administrator, a designated information technology contact, or the employee to relax the MDM solution or obtain the necessary information to decrypt the data.
Providing an individual with a choice of what make or model device they can use for business purposes can help boost an individual’s morale and satisfaction with their employer. Permitting the usage of different makes and models of devices within an organization may add to complexities. For example, there may be limited internal support that can be provided. Additionally, there may be an impact to software, apps, policies, or configurations that may be part of internal initiatives within the organization. These differences, in makes and models, can also lead to challenges if data from the devices needs to be collected. Depending on the make and model of the device, it may be necessary for a data collection specialist to utilize different forensic tools or develop different methodologies.
Allowing an individual to utilize specific software or apps on a personally owned device may lead to an increase in productivity. However, if there is a lack of consistency in the software or apps being used, and an issue arises, it may become a burden for the individual to obtain the necessary support from the software or app developer or the organization’s information technology personnel. If it becomes necessary to collect data from the device, depending on the software or app of interest, and where it stores associated data, different forensic tools or methodologies may need to be utilized.
For those individuals who only have one device, it is often the case that business and personal data is co-mingled. Sometimes, personal data is stored in a folder named “personal” or “private” and business data is organized into folders, named according to a client, project, or subject, etc. If a data collection of the device is necessary, depending on the make and model of the device, a data collection specialist may need to collect all data saved locally on the device and subsequently identify and export only the relevant data. It is important to keep in mind however, that the scope of a litigation matter or investigation can always change. If this occurs, a re-collection of data from the device may be necessary.
KEEPING THAT BALANCE
Co-mingled data can lead to increased sensitivity and complexity, especially if the data on the device needs to be collected. It is important to work with the employee, counsel, information technology personnel, and a data collection specialist to ensure that everyone understands the methodologies that will be utilized. Additionally, it may be necessary to balance the need to collect data from the device with any sensitivities that have been expressed or identified. Personally, I have experienced scenarios where an individual had become uncomfortable during the data collection process. While the data collection was being performed, they asked for their device back, spoke to their counsel for clarification on how the data will be searched, and once comfortable with the overall process, provided their device to perform the data collection.
Not only may there be sensitivities with the data collection process from personal devices but also in relation to the transportation and storage of the data. At these stages, the data is under the custody and control of the data collection specialist. It is recommended that the collected data be stored on encrypted target media and placed in secure storage or copied to a secure network storage location, until there is a decision about next steps.
There are pros and cons to everything, and BYOD policies are no exception. Many organizations are moving in the direction of implementing these policies. It is important to be informed, ask the necessary questions, and to be aware of any sensitivities that may be involved. Ensuring that everyone is on the same page, when it comes to how the data on a device will be identified, collected, and reviewed, will be vital to your success in dealing with personal devices that are used for business purposes.
Published by Robert B Fried,SVP Forensics and Investigations
Robert B. Fried has over twenty-five years of experience performing data collections and forensic investigations of electronic evidence and is the Senior Vice President and Global Head of Sandline Discovery’s Forensics and Investigations practice. Prior to joining Sandline Discovery, Robert was a Senior Director for Consilio’s Digital Forensics & Expert Services practice. Robert has also held senior-level positions for the data forensics practices at Huron Consulting Group and DOAR Litigation Consulting. Additionally, Robert was a Computer Crime Specialist at the National White Collar Crime Center (NW3C), where he developed and instructed computer forensic and investigative training courses for federal, state, and local law enforcement agencies. Robert attained a BS and MS in Forensic Science from the University of New Haven. Additionally, Robert holds and actively maintains the following certifications: AccessData Certified Examiner (ACE), Certified Forensic Computer Examiner (CFCE), EnCase Certified Examiner (EnCE) and GIAC Certified Forensics Analyst (GCFA). Robert is a licensed Professional Investigator in Michigan and is a licensed Private Investigator in New York.