Our colleague, Michelle Lippert, recently asked the question, “Mobile Devices in Discovery – Blessing or a Curse?” Michelle articulates that although mobile devices are a blessing for companies, as they allow constant connectivity for their employees, they can be a curse in litigation. She asks you to think about how you use your mobile device – work emails, personal emails, texts, group chats, and taking photos – it is not always work related! Further, you commonly need the physical asset in order to recover any information, although there are some exceptions to this rule.

But, what if we looked to mobile devices in the investigatory context? Would we reach the same conclusion? In this blog I will cover another side of the spectrum.

To better demonstrate how mobile devices can be utilized in an investigation, please refer to the example below of a European internal investigation examining the possibility of cartel activity.

Acme Rocket Powered Products, a corporation suspected of price-fixing, needed to gain an understanding of the facts in order to decide the best strategic response, should such activity exist. Through custodian interviews, Acme Rocket Powered Products identified that the custodian Coyote was the suspected individual arid, as such, collected his or her laptop images, email data, and mobile device.

Based on the example above, what should Acme Rocket Powered Products do? For each of the following advised steps, the corporation should work in collaboration with its legal team and ediscovery provider.

  1. First, loose files and email data should be loaded into a preferred review tool. The utilization of a review tool will help to quickly identify the fact pattern and find supporting evidence.
  2. Next, keywords should be drafted, in collaboration with legal. Because of the suspected cartel activity, a list of competitors would be an excellent start to a keyword list. Acme Rocket Powered Products should also focus on communications, as to fix prices, the prices must be communicated in some way. 
  3. To focus on communications with competitors, a domain report should be run in order to identify all of the competitor domains in the database.

Acme Rocket Powered Products found only a small number of documents which contained emails sent to or received from competitor domains. Acme Rocket Powered Products provided these to their legal team, who explained that these documents contained no reference to price-fixing and so the emails were not relevant to the investigation. This was surprising.

  1. Next, calendar items within the email data should be examined.   

In this instance, there were no calendar items with competitors' domains, however, oddly enough there were random calendar notes with initials in the subject line. These were then provided to the legal team who advised that the initials aligned with people known to work at competitors. There was no further information around the calendar notes and there were no emails or supporting documents. This was unsettling.

  1. Therefore, the keyword list should be expanded to include sensible terms like “price list.” Statistical sampling can then be run to examine the success of the keyword list.

The keyword results were limited and the legal team determined the results were not relevant to the case. This is a confusing set of outcomes. The legal team informed Acme Rocket Powered Products that it is highly likely that cartel activity had been occurring, based on the information gleaned from custodian interviews, but the supporting evidence was proving elusive. It is time to turn to mobile devices.

When it comes to mobile devices, both live and deleted data from key individuals’ devices can be extracted. It is not always possible to guarantee that all deleted data can be recovered from devices, as there are a number of moving parts that will contribute to this, such as the device itself, the operating system version, the software used, and the frequency the user deletes items from the device. When working with mobile devices the same strategies that apply to email data should be applied to the data contained on the mobile device.

Coyote's mobile phone was forensically examined. On the mobile phone, an array of different instant messaging applications were found, such as Skype, iMessage and Kik.

Upon discovery of these various communications, the next steps are:

  1. Apply the keywords – both those like “price list” and the competitor names – used for the email data.
  2. Identify which of the messages were deleted.
  3. Provide the messages which hit on the keywords to the legal team for review, ensuring the legal team sees the full conversation thread, including attachments and pictures.

After reviewing these messages, the legal team found that Coyote had been instant messaging Road Runner. Coyote deleted Road Runner's messages and there were picture attachments in the messaging conversation thread. These pictures appeared to be photographs of price lists and accompanying messages that read, "as discussed over coffee." The legal team informed Acme Rocket Powered Products that Road Runner worked for a competitor.

The deleted messages indicated that Coyote met Road Runner for coffee to discuss price lists, but there was not anything on Coyote's calendar except one item with "RR" in the subject line. Suspicious behaviour indeed!

To better understand Coyote’s movements, location data held within the mobile phone should be examined.

Within the location data, Acme Rocket Powered Products found that Coyote had been looking up the address of the competitor company where Road Runner works. Although this did not mean that Coyote travelled to the location, it did raise the question as to why Coyote was searching for directions to get there.

While examining the mobile device, the corporation managed to uncover significantly more support evidence for the price fixing than was available from the email data.

Therefore, for corporations undertaking such an internal investigation, it is clear that mobile devices are a blessing.Where email communications failed to tell the story for Acme Rocket Powered Products, mobile devices filled in the blanks and gave the company the supporting evidence it needed to charge Coyote for cartel activity. In this particular case, the corporation and legal team was armed with the full fact pattern between Coyote and Road Runner, and therefore, they were able to best strategize how to handle the incident and plan next steps.

When faced with such an investigation, it would be prudent to consider:

  1. collecting the custodians’ mobile device(s), along with the laptop images and email data;
  2. stressing that your ediscovery provider should attempt to forensically recover deleted data from the mobile device where possible; and
  3. encouraging creativity when examining mobile devices and thinking about how you use them in your day-to-day life, as Michelle explained.

It can be challenging to tell if you have a Wile E Coyote amongst your employees. Take the steps above and ensure you are covering all your bases, and that you are not letting Road Runner escape with your confidential information!