Apple’s Messaging Sync is Blasting Holes in iPhone Collections
This latest Protek Practitioner’s EDGE Alert reveals a critical, yet seemingly little-noticed cell phone messaging development with major implications for investigations and litigation.
To gauge how critical this issue is, ask yourself, Do I have the stomach to live with 40,000 existing but unaccounted for client text messages, each a ticking spoliation time bomb…or perhaps each representing the smoking gun that blows the case wide open in your client’s favor?
That’s exactly the scenario that a recent Protek client would have been facing had we not been on the lookout for the phone’s user having enabled iCloud for Messages syncing (so they can access their messages on multiple Apple devices) and accordingly collected text messages from both the device itself as well as the iCloud-resident iSync repository.
40,000 missed text messages if collecting only the device or only the iCloud-resident data. Either option which would have been perfectly defensible pre-iCloud for Messages syncing.
Also critical is that the right collection tool be used, as only one tool presently properly collects the iSync data to provide for a defensible collection.
How do you protect yourself from this critical pitfall?
- Vet your forensics/eDiscovery vendor to make sure they have previously successfully executed a fully defensible collection where iCloud for Messages is in play.
- Verify that the vendor has checked for iCloud for Messages being enabled on the device.
- If it is enabled:
a. Verify that the tool being used has been tested and works.
b. Verify that collections from both the device and the iCloud iSync repository have been properly collected.
c. Expect challenges in post-collection processing and production/deliverables as the forensic/eDiscovery tools have not caught up to the changes.
As referenced in 3.c., there are several post-collection challenges, so be prepared for delays, and double-check your deliverables, but if you have the preservation properly handled, any other challenges can be corrected.
Final Note: No joy in Android World. Message (and other content) syncing in Android creates the same issues.
Next Practitioner’s EDGE Installment: Where Has the Critical User Activity Evidence Gone?
To receive this next EDGE Tip in Protek’s continuing Practitioner’s EDGE Alerts/Tips installments, please feel free to send an email to info@protekintl.com with the subject line “Send EDGE.”
0 Comments