by Tony Dearsley, Computer Forensics Manager, Kroll Ontrack
Apple users recently celebrated the fifth anniversary of the iPhone, one of the world’s most successful and widely used consumer products. According to Kantar Worldpanel, Apple’s share of the UK smartphone marketplace stood at 34% at the end of 2011, and was even higher in the US at 44.9%. The iPhone, along with other smartphones based on the Android operating system, are now endemic in the corporate environment – introducing a whole new raft of challenges for computer forensics teams investigating legal or regulatory matters.
The rise of smartphones in the corporate world is being partly driven by the “consumerisation” of IT within business. Individuals are used to smartphone devices that they use to run every aspect of their personal lives, from social networking to recording events, and from GPS/location-based services to downloading and playing video or audio content. They want to extend this into their working lives, and more and more companies are having to find ways to accommodate smartphones into their IT infrastructure.
A recent study by iPass found that the majority (58%) of global mobile workers with a tablet computer use their devices for both personal and business purposes. Less than 14% viewed their tablet as primarily a work device – whether it was owned by them or by their employer.
As the functionality of iPhones and indeed iPads increases it becomes much more common for users to store information likely to be relevant to an investigation. The problem is that much of the thinking concerning portable devices is related to viewing them as phones (albeit very smart ones). This thinking is flawed and could not be further from the truth: the iPhone is more powerful and has more connectivity and storage than the average PC had six years ago.
The App explosion also means that someone’s mobile phone is even more of an imprint of their lifestyle than a “feature-phone” (non-smartphone) would be. If you were to examine a typical Android handset, you would find association and communication via not just contacts and SMS but also IMAP email, LinkedIn, Twitter and webmail, connections to wireless networks in various locations as well as Internet cache, web searches, satnav routes and a whole pile more. Six years ago if you’d seized a phone you would have only had calls, contacts, pictures taken with an inferior camera, SMS and MMS.
Significant issues arise when a personal device contains data that is subject to investigation. Questions such as, who owns the data? and how will the employee’s personal information be distinguished from company-owned data on a device that is being examined as part of an investigation?
While the number of Apple iOS and Android devices requiring examination by computer forensic teams is still relatively small it is growing significantly as organisations embrace the features and benefits afforded by allowing or encouraging their use.
iOS devices have always provided a unique challenge to the forensic investigator. Their proprietary and frequently changing operating system results in a constant game of catch up being played by those required to conduct forensic examinations. Similar challenges are seen with Android devices and the veritable smorgasbord of other tablets and smart phones now being introduced to the market.
In the knowledge that loss or theft of something so portable is an ever present risk hardware and software developers endeavour to secure the data on these devices with improved and modified security features. In many cases these same security features introduce challenges when it comes to reviewing the data for the purposes of an investigation.
In response forensic examiners have had to ensure their knowledge, skills and tools are kept up to date through constant research and training as well as relying on the manufacturers of forensic software to roll out new versions with support for the latest devices soon after new models hit the market.
A trend which complicates matters further is employers allowing employees to use their own devices for conducting business. This takes the management of the devices out of the hands of IT departments and relies heavily on users to ensure their device is up to date with the latest Operating System and therefore security patches. It also requires users to make judgement calls about how to secure the data stored on the device – with the principal risk of a data loss falling at the feet of their employer.
We have seen our clients employ a wide spectrum of policies in an attempt to manage this threat. Some companies issue devices to employees in the understanding that the company owns the device and that it should be used only for business purposes. These devices commonly have up to date software with fixed security profiles enabled.
Some of our clients have now embraced the concept of ‘bring your own device’ within a structured, progressive yet secure environment, providing apps in internal company app stores which allow access to business critical information on the move but without storing that data on portable devices.
However in an alarming number of cases we see the policy on mobile devices is ‘no policy’, with employees using their own devices without any management of how – or what – data is stored on them. While it seems relatively common practice that employees are informed that they should not store personal data on their work PCs or laptops, it seems this rule is relaxed for portable devices.
It is understandable that businesses, especially smaller organisations, may find allowing users to use their own phones and tablets an attractive proposition given the perceived cost saving. The lifecycle of Microsoft operating systems is currently approaching a point where wholesale upgrades to new versions of Windows and Office will require significant investment, and it is tempting to allow users to work on their own tablets or smartphones instead.
Organisations that consider this approach should ensure that they are considering the possible costs associated with an increased risk of data loss and difficulties should the worst happen and they find they have to investigate an employee who appears to be responsible for wrongdoing.
As with many aspects of information security the buck stops with policy. It is essential that any organisation planning to grab the portable device bull by the horns also ensures that information security policies (that often haven’t been updated since they were first written) are brought up to date to cover the technicalities and risks presented by the new devices they govern.
There is also the question of whether the data is actually on the device or whether it is on some remote storage facility (Cloud), and whether the service level agreement with the cloud provider allows this data to be produced within a sensible timeframe.
It’s worth mentioning that on the plus side, smartphones can also yield much more evidence than their predecessors. For example, it is becoming easier for forensic teams to identify deleted messages from SIM cards, as well as geo-tracking information from built-in GPS devices and photographs (sometimes taken at the scene of a crime). Lawyers need to be aware of these new frontiers of information and build them into their investigations.
As well as considering mobile devices from a forensics point of view, policy should encompass risks associated with data breaches.
The key risk in this area relates to data loss; copies of email and documents stored on employees tablets and smartphones run the risk of falling into the wrong hands should these small and easy to misplace or steal devices go missing. In the past, the damage possible through loss of a mobile device was limited by how little you are able to store on it but with today’s range of sophisticated devices boasting many gigabytes of storage, one misplaced phone could relate to a large chunk of your company’s data escaping into the wild.
It doesn’t just take loss or theft of the device for a ‘leak’ to occur. The increased screen size on tablets makes them perfect for working on the tube or train. But coupled with the boost in readability for the user also comes the risk that your emails, presentations and documents are being read by your neighbours who find themselves with nothing better to do that look over your shoulder.
If someone is looking over your shoulder with malicious intent, they can quickly use their phone to snap an image of your screen, with apps available now that can use OCR to convert the photograph into editable text.
The influx of smartphones and tablets to the workplace is inevitable – whether the devices are company provided or not. These devices certainly have the potential to improve productivity and often bring a presentation to life – however if appropriate usage policies are not introduced and security considerations not taken, then these same devices could prove to be a double-edged sword. Most of the challenges and data security threats discussed above can be mitigated through proper and adequate education of employees and proper analysis of the security implications prior to rolling them out.