Exterro's Legal GRC Breakdown

Get your daily dose of news, best practices, and technology from Exterro's e-discovery, privacy, and digital forensics experts here.


Piecing Together the eDiscovery “Puzzle” is More Challenging Than Ever: Part 2

Created on July 15, 2020

Written by Doug Austin, Editor of eDiscovery Today.

Last time, we discussed how difficult piecing together the eDiscovery “puzzle” has become, with so many new sources of ESI than ever before to manage, and we discussed some resources and challenges associated with social media discovery. Today, let’s take a look at discovery of mobile devices and messaging/collaboration apps.

Mobile Devices

Who doesn’t have a mobile device these days? Whether issued by the organization or owned directly by the custodian and used under the company’s Bring Your Own Device (BYOD) policy, mobile devices are almost always discoverable in litigation now. Here is a listing of potentially discoverable data from mobile devices alone:

Files*, Photos*, Videos*, Music, Ringtones, Books, Messages*, Phone Call History, Voice Mail, Browser History and Bookmarks, Calendar Entries, Contacts, Notes*, Voice Memos*, Data from Apps, Data from the File System and Geolocation Data.

* = Frequently relevant and should be routinely collected (per Craig Ball’s Mobile to the Mainstream guide, October 2018)

Once again, there is good news and bad news here. There are many ways to preserve and collect mobile device data, including custodian-directed preservation (e.g., here are iPhone and Android approaches, once again courtesy of Craig Ball) or forensically, using products like Cellebrite, XRY Logical, Oxygen Forensic Suite and Lantern (just to name a few). The custodian-based approach is relatively simple and can be performed by the custodian themselves while the forensic approach is performed by a trained and certified forensic examiner.

Again, the bad news is that the data, while collected, may not be very usable for assessment, review and production as is. Not just in format, but also in structure. For example, compare text messages to emails. You’ve been so used to email platforms including the entire text of the original message when you reply to an email that you probably don’t even realize there is an option to turn that off in many email platforms, including Outlook. Since email platforms do include the original text by default, each email is essentially a snapshot of the conversation up to that point—it’s like receiving the “puzzle” with part of it already assembled.

Each text message, on the other hand, is typically a single response within a conversation—it often lacks context without the rest of the conversation, making it difficult to determine relevancy on its face. Not to mention that text communications are so casual, it may be sometimes difficult to even determine what even constitutes a “conversation.” So, you often have to piece together the individual messages to review what is deemed to be a text conversation in context and probably have to produce the assembled conversation as well, if it’s relevant. It’s truly piecing together the “puzzle” from scratch.

When it comes to mobile device data, presentation (for early assessment, review and possible production) is an even bigger challenge than preservation and collection. We are starting to see progress here with products that are presenting the mobile device data much more in a manner similar to how it’s viewed in the device itself—with communications between parties shown (within a given day or lifetime) and geolocation data mapped to see the actual corresponding location. I expect we will see a lot of growth in this area over the next few years.

Messaging/Collaboration Apps

Part of the bad news here is that there are numerous messaging and collaboration apps out there—too numerous to count. Here are just a few of them:

Facebook Messenger, WhatsApp, Snapchat, Slack, Skype, Microsoft Teams, Yahoo Messenger, WeChat, Discord, Google Hangouts, Signal, Chatsecure, Wickr and DingTalk.

Several of these support the ability to create “ephemeral” messages which only last for a period of time before they are automatically deleted—the last two were featured in cases I’ve covered, including this one this May.

Since there are so many messaging and collaboration apps, it would take an entire additional (very long) article to cover them. So, I will single out three of the most popular apps for quick discussion:

  • WhatsApp: Believe it or not, WhatsApp is the number one instant messaging and free call app in the world with over 2 billion users (as of February 2020). But, WhatsApp was not originally intended for business use and started as a free alternative to SMS for private users. You can export individual chats out of Whatsapp which will export as a Zip file with a single text file (of the chat) and all your media files—here’s a guide on how to export them using Android and iOS.
  • Teams: If you use Office 365, you probably have MS Teams available for messaging and collaboration—it is the collaboration app of choice for Microsoft as Skype is being phased out. Discovery of Teams data is done through Office 365’s Core Discovery (here’s an article on setup) and you can discover most (but not all) types of data. Here is an article with more info on what is discoverable within Teams and how the output can be used.
  • Slack: I recently learned that Slack, which has become one of the most popular collaboration apps for business use, has a pretty extensive Discovery API. The Discovery API lets Org Owners on Slack’s Enterprise Grid plan use approved third-party apps to export (in JSON format) or act on messages and files from Slack for eDiscovery or Data Loss Prevention.

Piecing together the eDiscovery puzzle is so complex, it takes more than one blog post to cover it all! Next time, we’ll conclude by discussing discovery of audio/video files and Internet of Things (IoT) devices. See you then!

I want to thank the team at Exterro for the opportunity to be a guest author on their excellent blog—one that I’ve admired for years! Look for guest posts from Ron Rambo of Exterro on my blog, eDiscovery Today, as well!

Doug Austin is the Editor of the eDiscovery Today blog. Doug is an established eDiscovery thought leader with over 30 years of experience providing eDiscovery best practices, legal technology consulting and technical project management services to numerous commercial and government clients. Doug has published a daily blog since 2010 and has written numerous articles and white papers. He has received the JD Supra Readers Choice Award as the Top eDiscovery Author for 2017 and 2018 and a JD Supra Readers Choice Award as a Top Cybersecurity Author for 2019. Doug has presented at numerous events and conferences, including Legaltech New York, ILTACON, Relativity Fest, University of Florida E-Discovery Conference, Masters Conference and many local and regional conferences. Doug has also presented numerous CLE-accredited webcasts.