On a recent case, an employee left for a rival manufacturing company and was suspected of IP theft. Specifically, the employee was suspected of taking photos of the manufacturing plant floor. While investigators and digital forensics specialists have a wide range of tools and approaches available to them to help crack open cases, one emerging approach that is changing the digital investigation landscape is the use of smart phone location services. These can confirm the specific location of a person of interest at a specific time. In the IP theft case for example, investigators were able to extract GPS coordinates out of the photos taken on the mobile device and plot out the points on Google Earth. This allowed the investigators to pinpoint photos that were taken in the manufacturing plant of interest.
Tracking the evidence
Location-based tracking has played a role in a few recent high-stakes matters, and ultimately the evidence that resulted provided the proverbial nail in the coffin that sealed the case. By combining the findings of this technology — such as a suspect’s use of certain wifi hotspots or location per iPhone imaging — with other evidence, investigators can piece together the key facts.
In one case, a large real estate company terminated an employee for suspicious behavior, and the employer needed to determine if the person was in the company’s offices at some point after the termination. The employee was suspected of stealing company documents and potentially accessing certain documents after departure from the company. The investigators looked at data on the employee’s phone, including text messages and other data that indicated location. The evidence that was found through this method ultimately ended up being used in the depositions for the case.
It should be noted that the amount and type of location data can vary from phone to phone based on settings, applications installed and other factors. As long as a phone is turned on and connected to a cellular network, the phone will be collecting location information for all location-capable devices on current operating systems (Apple iOS, Android, BlackBerry). This information is saved by the operating system. Location data may also be saved by other applications, such as a camera application embedding location data in a picture. The usefulness of location data will depend greatly on the information needed for a case as well as the settings that have been put in place on the device of interest.
These types of location services have made some significant changes to digital investigations. As they are increasingly used, it is important for counsel to understand the key considerations and best practices for using location-based tracking for corporate investigations. In addition to looking at location data, text messages on mobile devices can also provide valuable clues, and investigators will want access to that type of data. The trend toward bring-your-own-device (BYOD) workplaces further complicates the landscape and requires legal departments to become involved in developing corporate policies around use of personal devices at work.
Often with investigations into mobile devices, pass codes are required for preservation. In BYOD environments, this is often difficult to manage as pass codes are maintained and owned by each individual on his or her personal device. This can pose problems when confiscating a device and attempting to preserve the data as it typically requires the cooperation of the employee to gain access.
Laying the groundwork
Whether an employee is using a company-issued or personal device, solid policy and employee education is at the foundation of mobile device management and the subsequent use of mobile device location tracking for investigations. Key best practices to consider include:
1. Policy development: Key stakeholders need to work together to develop policies around mobile devices and how the company may track them. Legal, IT, HR and compliance should all work together to create sound policies that govern company access to devices, define to what extent employees are allowed to use their company issued devices, and clarify privacy and security protocols for data residing on mobile devices.
2. Know where you stand regarding BYOD: Users are typically more comfortable and more productive when they are able to use their own preferred personal device for work. The use of personal devices can also save companies money by not having to provide devices to employees. However, BYOD environments do have heightened security risks and require more attention from IT, legal and security. As such, experts typically recommend use of company-issued devices exclusively. However, whether a company allows personal devices access to the network or not, legal needs to know where the company stands on this issue, and consider how these devices come into play in the broader e-discovery picture.
3. Device access: The company’s mobile policy and device management software should ensure that the company always has access to devices within the network, and that legal has the right to take a device, look at the data on it and image it for forensic purposes if needed. Generally, employees using personal devices should be regulated by BYOD policies that allow legal access to the data on the device in the event of litigation or an investigation. Employees typically understand that company data is company property and most employees are cooperative with providing access to their devices when requested.
Mobile devices are an integral part of any legal team’s strategy for e-discovery and forensic investigations. The presence of policies and sound mobile management are key to ensuring company access in the event of a matter that requires finding evidence on mobile devices. Most importantly, these devices should be centrally managed by IT given the importance and amount of key data likely stored within – data that could ultimately make or break an investigation.